Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Project Overview

AAF is first-order Security Infrastructure that

...

has been brought into ONAP for the following:

  • AAF allows each ONAP Component to have a "Namespace" to set up their important Security Authentication and Authorization elements
    • Permissions
    • Roles
    • Credentials
  • AAF provides Access to Organizational Identities
    • There is a maintained set of Identities for use in ONAP Test Systems for each ONAP Component
  • Credentials for this Identities
    • Passwords as appropriate
      • AAF has ability to Delegate to Organization, but houses all Passwords For ONAP Testing.
    • Certificates
      • These certificates have unique Authorized Identity embedded, which supports 2 way TLS Authentication
      • These certificates can also be used as Server side certificates
  • Authorizations (Fine Grained)
    • AAF provides Applications or other Enforcement Points with APP configured Permissions
  • Roles
    • AAF provides Roles for Identities that include any Granted Permissions
  • OAuth Tokens and Introspection
    • Currently unused by ONAP
  • Locator
    • AAF Components and ports can be found Globally
    • AAF Team would like Arch Team to know the following about the Locator
      1. "Locator" is not technically restricted to AAF.  It can register (protected by Authentication/Authorization) any running process/port/interface 
      2. Registrations include Global Coordinates, allowing Clients to pick the "closest" one
      3. Locator is independent of any "Cluster" or "Container" mechanisms, which gives accessibility to any network accessible component
        1. Globally - Components can reside anywhere in the world
        2. Scalable - You can start any new instances anywhere and instantly increase capacity and usage
          1. "For best results", use Cassandra in Scalable way.
        3. Resilient - VMs, Clusters, Datacenters, K8s could go down, and Authentication/Authorization is still accessible.
  • Security FS
    • AAF provides a globally accessible Fileserver to get public security information ex:
      • RCLs
      • Root Certificates (any the Organization wants to publish)
      • Organizational approved Truststores, etc
  • Approval Processing mechanisms
  • AAF provides real-time RESTful based 
    • fast evaluation of Security Authorization (and Authentication, if housed in AAF)
    • Management API for all AAF components, protected by Stringent Authentication and Authorization
  • AAF provides Java Client Infrastructure
    • CADI Framework, primarily Java
      • Includes all AAF interactions
      • Is able to process MULTIPLE kinds of Authentication in the same Client (X509, BasicAuth and OAuth included, Adapter Interfaces for Company based elements)
    • Shiro Adapter included for ONAP use of ODL
  • AAF provides Auto-Configuration for Clients, and Auto-Generation of ONAP Certs
    • as part of "Bare Metal"
    • on Docker "volumes"
  • ROOT CA Acess
    • For ONAP, AAF is proving "Root CA Capabilities" by Using AAF Certman to generate Certs from Issuer CA.  This is for TEST only
    • AAF has the ability to use an "SCEP" protocol to CAs (example CA, Windows Server).  However, this is not provided or validated by ONAP.

...